topic Re: SNMPv3 with Client-list? in Managementhttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459275#M5522
<P>appologies on the wrong section. setting a client-list doesn't work.</P>
<P>I currently have SNMPv3 setup, and I'm able to connect with every possible IP, without a client list.</P>
<P>would like to get this limited to our monitoring tools.</P>
<BLOCKQUOTE><BR /><HR /></BLOCKQUOTE>
<P>&nbsp;</P>Wed, 20 Feb 2019 16:14:33 GMTgvandaal2019-02-20T16:14:33ZSNMPv3 with Client-list?https://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459264#M5517
<P>Hi,&nbsp;</P>
<P>&nbsp;</P>
<P>I've configured SNMPv3 with auth/priv, it works as expected.&nbsp;</P>
<P>I would now like to limit the clients that can read the device via SNMP.&nbsp; with SNMP v2 you can use the Client-list, but I don't see this option vor SNMPv3?&nbsp;</P>
<P>&nbsp;</P>
<P>any ideas?&nbsp;</P>
<P>&nbsp;</P>
<P>kind regards</P>
<P>&nbsp;</P>Wed, 20 Feb 2019 14:52:25 GMThttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459264#M5517gvandaal2019-02-20T14:52:25ZRe: SNMPv3 with Client-list?https://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459265#M5518
With SNMPV2 how can you use client list?<BR /><BR />Regards,<BR />PLWed, 20 Feb 2019 14:59:03 GMThttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459265#M5518PML2019-02-20T14:59:03ZRe: SNMPv3 with Client-list?https://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459269#M5519
<P>don't know how that will help my question, but something like this:</P>
<P>&nbsp;</P>
<P>client-list READ {<BR />&nbsp; &nbsp;1.2.3.4/32;</P>
<P>)</P>
<P>community comvalue {<BR />authorization read-only;<BR />client-list-name READ;<BR />}</P>Wed, 20 Feb 2019 15:18:50 GMThttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459269#M5519gvandaal2019-02-20T15:18:50ZRe: SNMPv3 with Client-list?https://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459272#M5520
It should be the same for snmpv3 as well.<BR />Set snmp client-list ...<BR /><BR />Btw this forum is for management products like Junos Space, NSM and this query mainly looks to be for junos specific.<BR /><BR />Regards,<BR />PLWed, 20 Feb 2019 15:54:03 GMThttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459272#M5520PML2019-02-20T15:54:03ZRe: SNMPv3 with Client-list?https://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459275#M5522
<P>appologies on the wrong section. setting a client-list doesn't work.</P>
<P>I currently have SNMPv3 setup, and I'm able to connect with every possible IP, without a client list.</P>
<P>would like to get this limited to our monitoring tools.</P>
<BLOCKQUOTE><BR /><HR /></BLOCKQUOTE>
<P>&nbsp;</P>Wed, 20 Feb 2019 16:14:33 GMThttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459275#M5522gvandaal2019-02-20T16:14:33ZRe: SNMPv3 with Client-list?https://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459340#M5524
<P>Hi&nbsp;gvandaal,</P>
<P>&nbsp;</P>
<P>Restricting access to the certain IP and/or subnet in [snmp] config stanza is not present for snmpv3 afaik.</P>
<P>&nbsp;</P>
<P>But you always can use control plane protection filter for lo0.0 interface.</P>
<P>&nbsp;</P>
<P>Just create a rule to allow snmp from your monitoring system IPs. For example:</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<PRE>set policy-options prefix-list SNMP 10.1.1.1/32
set policy-options prefix-list SNMP 192.168.1.0/24
set firewall family inet filter CoPP term SNMP from source-prefix-list SNMP
set firewall family inet filter CoPP term SNMP from protocol udp
set firewall family inet filter CoPP term SNMP from destination-port snmp
set firewall family inet filter CoPP term SNMP then accept
set firewall family inet filter CoPP term SNMP then count SNMP</PRE>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>Just don't forget to allow mgmt traffic to your box.</P>
<P>You can find more details on protecting control plane of your Juniper routers in the <A href="https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf" target="_self">"Day One: Securing the Routing Engine"</A> book.</P>
<P>&nbsp;</P>
<P>Thanks,</P>
<P>Alex</P>
<P>&nbsp;</P>
<P>&nbsp;</P>Thu, 21 Feb 2019 15:10:33 GMThttps://forums.juniper.net/t5/Management/SNMPv3-with-Client-list/m-p/459340#M5524alex_kovalev2019-02-21T15:10:33Z